CN100379315C - Method for carrying out authentication on user terminal - Google Patents
Method for carrying out authentication on user terminal Download PDFInfo
- Publication number
- CN100379315C CN100379315C CNB2005100774766A CN200510077476A CN100379315C CN 100379315 C CN100379315 C CN 100379315C CN B2005100774766 A CNB2005100774766 A CN B2005100774766A CN 200510077476 A CN200510077476 A CN 200510077476A CN 100379315 C CN100379315 C CN 100379315C
- Authority
- CN
- China
- Prior art keywords
- user terminal
- binding information
- request
- address
- hss
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1016—IP multimedia subsystem [IMS]
Abstract
The present invention discloses a method for authenticating a user terminal, which has the key that after an application service entity receives an access request comprising a user identifier from a 2G user terminal, binding information composed of an IP address and an identifier of the 2G user terminal is obtained from an HSS according to the user identifier in the access request, and then the application service entity judges whether the binding information of an IP address and an identifier of the 2G user terminal, which are saved in the application service entity, is matched with the binding information of the IP address and the identifier of the 2G user terminal which initiates the access request; when the binding information saved in the application service entity is matched with the binding information of the 2G user terminal which initiates the access request, the authentication of the 2G user terminal is passed, otherwise the authentication of the 2G user terminal can not be passed. The application of the present invention realizes the authentication of the 2G user terminal which directly accesses the application service entity, which not only ensures the access of a legal user, but also ensures network safety; the present invention can be normally allocated and operated, particularly for a service applied earlier and based on an IMS.
Description
Technical field
The present invention relates to the mobile communication technology field, be meant that especially the 2G user terminal to direct access applied business entity carries out the method for authentication.
Background technology
Development along with broadband network, mobile communication not only is confined to traditional Speech Communication, by with present that business (presence), short message, webpage (WEB) are browsed, the combining of data service such as locating information, propelling movement business (PUSH) and file-sharing, mobile communication can realize the business of multiple medium types such as audio frequency, video, picture and text, to satisfy user's multiple demand.
3rd Generation Partnership Project (3GPP) and 3rd Generation Partnership Project 2 (3GPP2) etc. are organized and have all successively been released IP-based IP multimedia subsystem, IMS (IMS) framework, its objective is and in the mobile network, use a kind of standardized open architecture to realize diversified multimedia application, so that more selection and abundanter impression to be provided to the user.
The IMS framework is superimposed upon on the packet field network (PS-Domain), and its entity relevant with authentication comprises CSCF (CSCF) entity and home signature user server (HSS) functional entity.CSCF can be divided into serving CSCF (S-CSCF), proxy CSCF (P-CSCF) and three logic entities of inquiry CSCF (I-CSCF) again, and these three logic entities may be different physical equipments, also may be functional modules different in the same physical equipment.Wherein, S-CSCF is the professional control centre of IMS, is used to carry out session control, peace preservation association's speech phase, and managing user information produces charge information etc.; P-CSCF is the access point of terminal user access to IMS, is used to finish user's registration, service quality (QoS) control and safety management etc.; I-CSCF is responsible for the intercommunication between the IMS territory, and network topology structure and configuration information are externally hidden in the distribution of management S-CSCF, and produce metering data etc.HSS is very important customer data base, is used to support the processing of each network entity to calling and session.
IMS only considers to use at the 3G (Third Generation) Moblie network when initial release (R5 release protocol).Because the business on the IMS is very abundant, so operator uses IMS on the network of 2G demand occurred.But on the network of 2G what can't support based on the safety related functions of the IMS of 3G network, five-tuple authentication/network authentication etc. for example, for solving the subscription authentication problem that 2G user uses the IMS network faces, 3GPP has proposed a kind of transition right-identification scheme, and this scheme provides certain safety function for the IMS business on the 2G.When the user supports the 3G authentication scheme, adopt complete authentication scheme butt joint access customer to carry out authentication again based on 3G.Like this, no matter be 2G user or 3G subscription, can be in authentication by the business in the application IMS of back.Usually, the transition right-identification scheme is called the authentication mode of Early IMS, the complete authentication scheme based on 3G is called Full 3GPP IMS authentication mode.
UE for any one 2G or 3G, the business that it both can use the application server (AS) based on IMS to be provided, as use the presence business, also can be to carrying out some simple bookkeepings based on the AS of IMS or the agency of AS (AP), as some Groups Lists (group list) information on management AS or the AP etc.
When a UE need use based on IMS AS provided when professional, it need at first insert the 3GPP packet domain, the business that could use AS to provide after the authentication of IMS is provided then, at this moment, UE for 2G, IMS will use the authentication mode of Early IMS to carry out authentication, and for the UE of 3G, IMS will use the authentication mode of Full 3GPP IMS to carry out authentication.
When a UE need be when managing operation based on the AS of IMS or by AP to AS, it still will at first insert the 3GPP packet domain, and this UE can directly insert AS or AP by Ut then, thereby IMS no longer carries out authentication to this UE.In prior protocols, stipulate simultaneously, after this UE that directly inserts AS or AP adopts the mode authentication of general authentication framework (GAA), could insert AS or AP.
But, existing authentication mode based on general authentication framework (GAA) is at the 3G subscription terminal, it does not support the authentication to the 2G user terminal, like this, will inevitably have such situation: the 2G user terminal can not insert or the 2G user terminal does not need authentication just can directly insert.
If do not allow the 2G user terminal insert, not only make operator's loss a lot of professional, also can cause the user that the satisfaction of operator is descended.
If the 2G user terminal does not need authentication just can directly insert, obviously can't guarantee the safety of AS and whole network.
Summary of the invention
In view of this, the object of the present invention is to provide and a kind of user terminal is carried out the method for authentication, realize authentication with 2G user terminal to direct access applied business entity.
For achieving the above object, technical scheme of the present invention is such realization:
A kind of method of user terminal being carried out authentication, be applicable to the 2G user terminal of direct access applied business entity, the 2G user terminal that inserts 3GPP has obtained the IP address, and preserved the binding information that IP address and identify label thereof by this 2G user terminal constitute in user attaching webserver HSS, this method is further comprising the steps of:
A, 2G user terminal initiate to insert request to the applied business entity, comprise the identify label of self in this request; The applied business entity is according to the access request that receives, obtains the binding information that IP address and identify label thereof by this 2G user terminal constitute from HSS, and preserves this binding information;
B, applied business entity judge whether the IP address of this 2G user terminal that self preserves and the binding information of identify label thereof are complementary with the IP address of the 2G user terminal of initiating the request that inserts and the binding information of identify label thereof, if coupling, then this 2G user terminal passes through authentication, otherwise this 2G user terminal can not pass through authentication.
Preferably, also comprise the authentication mode sign in the access request that described 2G user terminal is initiated,
When described authentication mode was designated early stage general authentication framework authentication mode, described applied business entity obtained the IP address of this 2G user terminal and the binding information of identify label thereof by the entity B SF that carries out the checking of user identity initial inspection from HSS.
Preferably, described applied business entity obtains the IP address of this 2G user terminal and the binding information of identify label thereof by BSF from HSS, and the process of preserving this binding information may further comprise the steps:
The applied business entity sends the message of request authentication information to BSF, comprise the identify label of user terminal in this request message, after BSF receives this request, identify label according to the user terminal in the request is asked the IP address of this 2G user terminal and the binding information of identify label thereof to HSS, and the binding information that obtains directly returned to the applied business entity, the applied business entity is preserved the binding information that receives;
Described BSF comprises the authentication scheme field in the message of HSS request binding information, this authentication scheme field is designated as early IMS.
Preferably, described BSF is the early stage Early-BSF that only possesses query function, or supports complete 3G function and possess the BSF of Early-BSF function.
Preferably, when described applied business entity by BSF during to HSS request binding information, described applied business entity belongs to identical or different home network with the HSS that has preserved binding information.
Preferably, also comprise the authentication mode sign in the access request that described 2G user terminal is initiated,
When described authentication mode was designated direct authentication mode, described applied business entity directly sent the binding information request message to HSS, received and preserve the IP address of this 2G user terminal that HSS returns and the binding information of identify label thereof.
Preferably, the request message that described applied business entity sends to HSS is by user data requests UDR message bearing, and the attribute information in this message indicates the request binding information; The response message that HSS returns for the applied business entity is replied the UDA message bearing by user data, and the attribute information in this message indicates the request binding information.
Preferably, when described applied business entity during directly to HSS request binding information, described applied business entity belongs to identical home network with the HSS that preserves binding information.
Preferably, described 2G user terminal is carried by the request message HTTP GET based on http protocol to the access request of applied business entity initiation;
Authentication mode sign in the described request message is carried by the user agent user agent field among the HTTP GET.
Preferably, the identify label in the described access request is user's common identity sign IMPU;
The IP address of this 2G user terminal that described applied business entity obtains from HSS and the binding information of identify label thereof are: the corresponding relation that inserts the IP address of the IMPU that comprised the request and this 2G user terminal; Or the corresponding relation of the IP address of all IMPU of being had of the 2G user terminal that initiate to insert request and this 2G user terminal.
Preferably, this method further comprises: set up Transport Layer Security TLS tunnel and then execution in step a between 2G user terminal and the applied business entity.
Preferably, described applied business entity is application server AS or application server proxy AP.
Key of the present invention is: after the applied business entity receives the access request that comprises User Identity from the 2G user terminal, User Identity according to inserting in the request obtains the IP address of this 2G user terminal and the binding information of identify label thereof from HSS; Afterwards, the applied business entity judges whether the IP address of this 2G user terminal that self preserves and the binding information of identify label thereof are complementary with the IP address of the 2G user terminal of initiating the request that inserts and the binding information of identify label thereof, if coupling, then this 2G user terminal passes through authentication, otherwise this 2G user terminal can not pass through authentication.Use the present invention, realized the 2G user terminal of direct access applied business entity is carried out authentication, both guaranteed that legal users can insert, and has guaranteed the safety of network again.For the business based on IMS of early stage application, can normally dispose and move especially.
Description of drawings
Figure 1 shows that the schematic flow sheet of using embodiments of the invention one;
Figure 2 shows that the schematic flow sheet of using embodiments of the invention two.
Embodiment
Below in conjunction with drawings and the specific embodiments the present invention is done detailed description further again.
Figure 1 shows that the schematic flow sheet of using embodiments of the invention one.In the present embodiment, the UE of 2G has been linked into the 3GPP packet domain, and the packet network gateway node (GGSN) that obtains packet network is its IP address allocated, GGSN is with the user's telephone number (MSISDN) of this UE simultaneously, relevant informations such as the international mobile subscriber identify label (IMSI) of packet domain and IP address send to HSS, HSS finds the identify label IMPI of user in the IMS system by user's MSISDN or IMSI, and with the IMPI of this UE, the pairing user's of this IMPI common identity sign (IMPU), information such as the IP address of MSISDN and this UE are bound preservation.Present embodiment is that example describes with the UE access AS of 2G.
Step 101, the UE of 2G initiates to insert request to AS, comprises the identify label of this UE self in this request, as IMPU; Also comprise the authentication mode sign of self supporting in this request message, at existing Ut based on the Http agreement, can utilize user agent (user agent) field in the Http GET message to carry this authentication mode sign, in the present embodiment, the authentication mode that the UE of this 2G supported is the early stage Ut authentication mode of using GAA, at this, the sign of this authentication mode is designated as early stage general authentication framework authentication mode (Early-GAA-Ut), and this authentication mode sign Early-GAA-Ut will be added in the user agent field in Http message so.
Step 102, AS is according to the access request that receives, after judging authentication mode in the request message and being designated Early-GAA-Ut, AS sends the message of request authentication information to the entity (BSF) of carrying out the checking of user identity initial inspection, the User Identity that comprises this AS in this message, BSF in this step can be the early stage Early-BSF that only possesses query function, also can be to support complete 3G function and the BSF with Earl y-BSF function.
Because in the implementation of 3G GAA, AS is when BSF request authentication information, need carry the user conversation sign (B-TID) that BSF distributes, and be not have B-TID's that BSF distributes in the Early-GAA-Ut authentication mode, therefore for supporting complete 3G function and possessing the BSF of Early-BSF function, after it receives message from the request authentication information of AS, can be that B-TID or User Identity are distinguished the authentication mode of normal 3G GAA or the authentication authentication mode of Early-GAA-Ut by judging what carry in this message.
Step 103, BSF receives the message of the request authentication information of AS, and determine to carry in this request be User Identity after, ask the IP address of this UE and the binding information of identify label thereof to HSS.Comprise the identify label of UE in this solicited message equally, and this comprises the authentication scheme field in the message of HSS request binding information, and is designated as early IMS in this authentication scheme field.
Step 104, HSS inquires about the required binding information of BSF according to the User Identity in the solicited message that receives, and this binding information is returned to BSF.
The User Identity that common UE sends out in the request of access is IMPU, therefore, the process of HSS inquiry binding information is: HSS searches the pairing IMPI with this IMPU by the IMPU that receives, and with the pairing IP of this IMPI address, the described binding information that returns is meant the corresponding relation of the IP address of IMPU and this UE.
If initiating the entrained User Identity of UE of the request that inserts is IMPI or IMSI, then the binding information that returns of HSS is the binding information of IMPI and Ip address or the binding information of IMSI and Ip address, or returns the information of the binding of the IMPI of needs and/or IMPU and this user terminal IP address according to the needs of its applied network system.That is to say that the binding information that HSS returned is the identify label and the current corresponding informance that has the IP address of this UE of initiating the UE of request.
Step 105, after BSF receives this binding information, do not preserve but this binding information directly is transmitted to AS, the benefit of doing like this is as AS during once more to BSF request binding information, BSF need go inquiry to HSS, thereby it is always up-to-date to have guaranteed that BSF returns to the information of AS.
Step 106, AS preserves after receiving binding information, judge afterwards whether the IP address of this UE that self preserves and the binding information of identify label thereof and the IP address of the UE that this initiation inserts request and the binding information of identify label thereof are complementary, promptly whether identical, if coupling, then the UE of this 2G passes through authentication, otherwise the UE of this 2G can not pass through authentication.
For the foregoing description, after the IP of UE address modification or cancellation, GGSN will notify HSS to upgrade this binding information or delete this binding information.And after the binding information variation that HSS preserved, HSS does not need to notify BSF, because usually in the IP address change or after nullifying, will disconnect and rebulid connection afterwards based on the application layer protocol that connects, AS will delete the binding information of preserving after connecting disconnection, when UE rebulid connection, AS can be again to BSF request binding information.
For the foregoing description, receive the AS of the request of access and can belong to same home network with the HSS that preserves binding information, also can belong to different home network.
Figure 2 shows that the schematic flow sheet of using embodiments of the invention two.In the present embodiment, UE has been linked into the 3GPP packet domain, and acquisition GGSN is its IP address allocated, simultaneously GGSN sends to HSS with relevant informations such as MSISDN, the IMSI of this UE and IP addresses, HSS finds the identify label IMPI of user in the IMS system by user's MSISDN or IMSI, and the information such as IP address of the IMPI of this UE, the pairing user's of this IMPI common identity sign (IMPU), MSISDN and this UE are bound preservation.Present embodiment is that example describes with the UE access AS of 2G.
Step 201, the UE of 2G initiates to insert request to AS, comprises the identify label of this UE self in this request, as IMPU; Also comprise the authentication mode sign of self supporting in the message of this request, at existing Ut based on the Http agreement, can utilize the user agent field in the Http GET message to carry this authentication mode sign, in the present embodiment, the authentication mode that the UE of this 2G supported is for using the direct authentication mode of Sh interface between AS and the HSS, at this, the sign of this authentication mode is designated as direct authentication mode (Ut-Sh-Authentication), and this authentication mode sign Ut-Sh-Authentication will be added in the user agent field in Http message so.
Step 202, AS is according to the access request that receives, after judging authentication mode in the request message and being designated Ut-Sh-Authentication, directly sends the IP address of this UE of request and the message of identify label binding information thereof by Sh interface to HSS.Comprise User Identity information in this request message equally.Usually, the request message that AS sends to HSS by Sh interface is by user data requests (UDR, User-Data-Request) message is carried, and describes which kind of data of request user by the attribute information Avp in this request message (Attribute-Value Pair).In the present embodiment, require the Avp attribute of bind address information, realize by Sh interface request address binding information by increase.
Step 203, HSS inquires about the required binding information of AS according to the User Identity in the solicited message that receives, and this binding information is directly returned to AS.Usually, HSS uses user data to reply that (UDA, User-Data-Answer) message is as the response message of UDR message in Sh interface.In the present embodiment, owing to be response to the request binding message, so also use in the step 202 the Avp attribute information that increases in this UDA message.
The User Identity that common UE sends out in the request of access is IMPU, therefore, the process of HSS inquiry binding information is: HSS searches the pairing IMPI with this IMPU by the IMPU that receives, and with the pairing IP of this IMPI address, the described binding information that returns is meant the corresponding relation of the IP address of IMPU and this UE.
If initiating the entrained User Identity of UE of the request that inserts is IMPI or IMSI, then the binding information that returns of HSS is the binding information of IMPI and IP address or the binding information of IMSI and IP address, or returns the information of the binding of the IMPI of needs and/or IMPU and this user terminal IP address according to the needs of its applied network system.That is to say that the binding information that HSS returned is the identify label and the current corresponding informance that has the IP address of this UE of initiating the UE of request.
Step 204, AS preserves after receiving binding information, afterwards, judge whether the IP address of this UE that self preserves and the binding information of identify label thereof and the IP address of the UE that this initiation inserts request and the binding information of identify label thereof are complementary, promptly whether identical, if coupling, then the UE of this 2G passes through authentication, otherwise the UE of this 2G can not pass through authentication.
For the foregoing description, after the IP of UE address modification or cancellation, GGSN will notify HSS to upgrade this binding information or delete this binding information.And after the binding information variation that HSS preserved, HSS does not need to notify AS, because usually in the IP address change or after nullifying, will disconnect and rebulid connection afterwards based on the application layer protocol that connects, AS will delete the binding information of preserving after connecting disconnection, when UE rebulid connection, AS can be again to HSS request binding information.
For the foregoing description, receive the AS of the request of access and must belong to same home network with the HSS that preserves binding information.
It is that example describes that the above embodiment all inserts AS with UE, certainly, AS among above-mentioned all embodiment all can directly replace with AP, act on behalf of the UE that AS finishes inserting by this AP and carry out the operation of authentication, and can there be one or more AS the back of an AP.At this, the entity of all similar AS or AP is called the applied business entity.
Have again, as everyone knows, user's common identity sign IMPU and privately owned sign IMPI corresponding relation are many-to-one relations, therefore at above-mentioned two embodiment, when HSS returns binding information, also can return the binding information of the IP address of all associated IMPU of this IMPI and this UE.The benefit of doing like this is that after UE was connected to AS, its back message might be changed to the IMPU that uses other, so AS need preserve the corresponding relation of all IMPU of this UE and this IP address.When the AS in the foregoing description is replaced by AP, such processing is particularly useful, because can there be a plurality of AS the AP back, and finish authentication functions for these AS by AP, then the IMPU that uses when different AS sends request of UE is likely different, at this moment, if AP has preserved the corresponding relation of the IP address of all IMPU of this UE and this UE, then can finish the operation of its agency's authentication rapidly accurately, and needn't repeatedly inquire about to HSS.
Before two embodiment carry out in the above; UE and AS can set up Transport Layer Security (the TLS Transport Layer Security) tunnel based on transport layer protection earlier; because TLS is exactly a kind of transport layer protection agreement; therefore after setting up this tunnel; carry out the verification process of describing among top two embodiment again, can make the application layer communication between UE and the AS obtain sufficient safeguard protection based on application layer.
The above embodiment allows network side adapt to UE, promptly allows network side carry out authentication to the UE of 2G.Certainly, also can allow UE adapt to network side, promptly allow the user of 2G load a software module, thereby make the UE of this 2G can fully support the function of 3G, just make the UE of 2G can support the authentication mode of 3G.Like this, network side can still adopt the authentication mode of the 3G of standard that this UE is carried out authentication.This software module can be downloaded from the Internet, also can directly obtain from operator.
Authentication mode among the above embodiment is used in the time of both can directly inserting AS at the UE of 2G, also can use in the message of the follow-up transmission of the UE of this access.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (12)
1. method of user terminal being carried out authentication, be applicable to the 2G user terminal of direct access applied business entity, it is characterized in that, the 2G user terminal that inserts 3GPP has obtained the IP address, and preserved the binding information that IP address and identify label thereof by this 2G user terminal constitute in user attaching webserver HSS, this method is further comprising the steps of:
A, 2G user terminal initiate to insert request to the applied business entity, comprise the identify label of self in this request; The applied business entity is according to the access request that receives, obtains the binding information that IP address and identify label thereof by this 2G user terminal constitute from HSS, and preserves this binding information;
B, applied business entity are judged the IP address of this 2G user terminal that self preserves and the binding information of identify label thereof, whether be complementary with the IP address of the 2G user terminal of initiating the request that inserts and the binding information of identify label thereof, if coupling, then this 2G user terminal passes through authentication, otherwise this 2G user terminal can not pass through authentication.
2. method according to claim 1 is characterized in that, also comprises the authentication mode sign in the access request that described 2G user terminal is initiated,
When described authentication mode was designated early stage general authentication framework authentication mode, described applied business entity obtained the IP address of this 2G user terminal and the binding information of identify label thereof by the entity B SF that carries out the checking of user identity initial inspection from HSS.
3. method according to claim 2 is characterized in that, described applied business entity obtains the IP address of this 2G user terminal and the binding information of identify label thereof by BSF from HSS, and the process of preserving this binding information may further comprise the steps:
The applied business entity sends the message of request authentication information to BSF, comprise the identify label of user terminal in this request message, after BSF receives this request, identify label according to the user terminal in the request is asked the IP address of this 2G user terminal and the binding information of identify label thereof to HSS, and the binding information that obtains directly returned to the applied business entity, the applied business entity is preserved the binding information that receives;
Described BSF comprises the authentication scheme field in the message of HSS request binding information, this authentication scheme field is designated as early IMS.
4. method according to claim 3 is characterized in that, described BSF is the early stage Early-BSF that only possesses query function, or supports complete 3G function and possess the BSF of Early-BSF function.
5. method according to claim 3 is characterized in that, described applied business entity belongs to identical or different home network with the HSS that preserves binding information.
6. method according to claim 1 is characterized in that, also comprises the authentication mode sign in the access request that described 2G user terminal is initiated,
When described authentication mode was designated direct authentication mode, described applied business entity directly sent the binding information request message to HSS, received and preserve the IP address of this 2G user terminal that HSS returns and the binding information of identify label thereof.
7. method according to claim 6 is characterized in that, the request message that described applied business entity sends to HSS is by user data requests UDR message bearing, and the attribute information in this message indicates the request binding information; The response message that HSS returns for the applied business entity is replied the UDA message bearing by user data, and the attribute information in this message indicates the request binding information.
8. method according to claim 6 is characterized in that, described applied business entity belongs to identical home network with the HSS that preserves binding information.
9. according to claim 2 or 6 described methods, it is characterized in that,
Described 2G user terminal is carried by the request message HTTP GET based on http protocol to the access request that the applied business entity is initiated;
Authentication mode sign in the described request message is carried by the user agent user agent field among the HTTP GET.
10. method according to claim 1 is characterized in that, the identify label in the described access request is user's common identity sign IMPU;
The IP address of this 2G user terminal that described applied business entity obtains from HSS and the binding information of identify label thereof are: the corresponding relation that inserts the IP address of the IMPU that comprised the request and this 2G user terminal; Or the corresponding relation of the IP address of all IMPU of being had of the 2G user terminal that initiate to insert request and this 2G user terminal.
11. method according to claim 1 is characterized in that, this method further comprises: set up Transport Layer Security TLS tunnel and then execution in step a between 2G user terminal and the applied business entity.
12. method according to claim 1 is characterized in that, described applied business entity is application server AS or application server proxy AP.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100774766A CN100379315C (en) | 2005-06-21 | 2005-06-21 | Method for carrying out authentication on user terminal |
| EP06742203A EP1816825A4 (en) | 2005-06-21 | 2006-06-21 | A method and system for authenticating user terminal |
| PCT/CN2006/001416 WO2006136106A1 (en) | 2005-06-21 | 2006-06-21 | A method and system for authenticating user terminal |
| CNA2006800123062A CN101160920A (en) | 2005-06-21 | 2006-06-21 | Method and system for authenticating user terminal |
| US11/735,541 US20070249342A1 (en) | 2005-06-21 | 2007-04-16 | Method, system and application service entity for authenticating user equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100774766A CN100379315C (en) | 2005-06-21 | 2005-06-21 | Method for carrying out authentication on user terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1802016A CN1802016A (en) | 2006-07-12 |
| CN100379315C true CN100379315C (en) | 2008-04-02 |
Family
ID=36811707
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100774766A Expired - Fee Related CN100379315C (en) | 2005-06-21 | 2005-06-21 | Method for carrying out authentication on user terminal |
| CNA2006800123062A Pending CN101160920A (en) | 2005-06-21 | 2006-06-21 | Method and system for authenticating user terminal |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006800123062A Pending CN101160920A (en) | 2005-06-21 | 2006-06-21 | Method and system for authenticating user terminal |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US20070249342A1 (en) |
| EP (1) | EP1816825A4 (en) |
| CN (2) | CN100379315C (en) |
| WO (1) | WO2006136106A1 (en) |
Families Citing this family (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030853B (en) * | 2006-03-02 | 2010-04-14 | 华为技术有限公司 | Method for authenticating user terminal |
| CN101102186B (en) * | 2006-07-04 | 2012-01-04 | 华为技术有限公司 | Method for implementing general authentication framework service push |
| CN101072326B (en) * | 2007-06-20 | 2011-12-21 | 华为技术有限公司 | method, system and device for accessing service of non-attribution contracted IPIV service provider |
| JP5351181B2 (en) * | 2008-02-21 | 2013-11-27 | アルカテル−ルーセント | One-pass authentication mechanism and system for heterogeneous networks |
| US8359031B2 (en) * | 2008-09-19 | 2013-01-22 | Clear Channel Management Services, Inc. | Computer based method and system for logging in a user mobile device at a server computer system |
| CN102917342B (en) * | 2008-09-28 | 2015-11-25 | 华为技术有限公司 | User equipment action information Notification Method, system and network element device, server |
| CN101715173B (en) * | 2008-10-06 | 2013-06-05 | 华为技术有限公司 | Method, system, network element equipment and server for informing user equipment action information |
| CN101729578B (en) * | 2008-10-27 | 2013-01-23 | 华为技术有限公司 | Application service access authentication method and application service access authentication agent |
| CN101478755B (en) * | 2009-01-21 | 2011-05-11 | 中兴通讯股份有限公司 | Network security HTTP negotiation method and related apparatus |
| KR101094577B1 (en) | 2009-02-27 | 2011-12-19 | 주식회사 케이티 | Method for User Terminal Authentication of Interface Server and Interface Server and User Terminal thereof |
| CN102238211A (en) * | 2010-04-23 | 2011-11-09 | 上海博泰悦臻电子设备制造有限公司 | On-vehicle communication service provision and acquisition methods and devices, and system |
| CN101945102B (en) * | 2010-07-26 | 2014-07-16 | 中兴通讯股份有限公司 | Method, server and system for authenticating IPTV (intelligent personal television) user validation based on IMS (IP Multimedia Subsystem) |
| EP2418815B1 (en) | 2010-08-12 | 2019-01-02 | Deutsche Telekom AG | Managing Session Initiation Protocol communications towards a user entity in a communication network |
| EP2418818B1 (en) * | 2010-08-12 | 2018-02-14 | Deutsche Telekom AG | Network entity for managing communications towards a user entity over a communication network |
| EP2418817B1 (en) | 2010-08-12 | 2018-12-12 | Deutsche Telekom AG | Application server for managing communications towards a set of user entities |
| CN102469448B (en) * | 2010-11-08 | 2016-12-28 | 中兴通讯股份有限公司 | A kind of method, system and device of machine type communication Access Control |
| RU2582863C2 (en) * | 2011-10-31 | 2016-04-27 | Нокиа Текнолоджиз Ой | Security mechanism for external code |
| EP2805450B1 (en) * | 2012-01-19 | 2019-05-15 | Nokia Solutions and Networks Oy | Detection of non-entitlement of a subscriber to a service in communication networks |
| US20130212653A1 (en) * | 2012-02-09 | 2013-08-15 | Indigo Identityware | Systems and methods for password-free authentication |
| CN103888415B (en) * | 2012-12-20 | 2017-09-15 | 中国移动通信集团公司 | The nomadic control method and device of IMS user |
| CN104468464B (en) * | 2013-09-12 | 2018-07-06 | 深圳市腾讯计算机系统有限公司 | verification method, device and system |
| CN104753872B (en) * | 2013-12-30 | 2018-10-12 | 中国移动通信集团公司 | Authentication method, authentication platform, business platform, network element and system |
| US10791496B2 (en) * | 2016-06-30 | 2020-09-29 | T-Mobile Usa, Inc. | Restoration of serving call session control and application server function |
| CN108024248B (en) * | 2016-10-31 | 2022-11-08 | 中兴通讯股份有限公司 | Authentication method and device for Internet of things platform |
| CN114969703A (en) * | 2016-11-08 | 2022-08-30 | 华为技术有限公司 | Authentication method and electronic equipment |
| CN106599622A (en) * | 2016-12-06 | 2017-04-26 | 福建中金在线信息科技有限公司 | Method and device for filtering application software interface program |
| CN109756450B (en) | 2017-11-03 | 2021-06-15 | 华为技术有限公司 | Method, device and system for communication of Internet of things and storage medium |
| CN109962878B (en) * | 2017-12-14 | 2021-04-16 | 大唐移动通信设备有限公司 | Registration method and device of IMS (IP multimedia subsystem) user |
| US10721621B2 (en) * | 2018-05-23 | 2020-07-21 | Cisco Technology, Inc. | Updating policy for a video flow during transitions |
| CN112422479A (en) * | 2019-08-22 | 2021-02-26 | 北京奇虎科技有限公司 | Equipment binding method, device and system |
| CN114125836A (en) * | 2020-08-10 | 2022-03-01 | 中国移动通信有限公司研究院 | Authentication method, device, equipment and storage medium |
| US11638134B2 (en) * | 2021-07-02 | 2023-04-25 | Oracle International Corporation | Methods, systems, and computer readable media for resource cleanup in communications networks |
| US11709725B1 (en) | 2022-01-19 | 2023-07-25 | Oracle International Corporation | Methods, systems, and computer readable media for health checking involving common application programming interface framework |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030159067A1 (en) * | 2002-02-21 | 2003-08-21 | Nokia Corporation | Method and apparatus for granting access by a portable phone to multimedia services |
| US20040122934A1 (en) * | 2001-04-03 | 2004-06-24 | Ilkka Westman | Registering a user in a communication network |
| US20040230697A1 (en) * | 2003-05-13 | 2004-11-18 | Nokia Corporation | Registrations in a communication system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8621582B2 (en) * | 2004-05-12 | 2013-12-31 | Telefonaktiebolaget Lm Ericsson (Publ) | Authentication system |
| GB0414421D0 (en) * | 2004-06-28 | 2004-07-28 | Nokia Corp | Authenticating users |
| US20060020791A1 (en) * | 2004-07-22 | 2006-01-26 | Pekka Laitinen | Entity for use in a generic authentication architecture |
| TWI475862B (en) * | 2005-02-04 | 2015-03-01 | 高通公司 | Secure bootstrapping for wireless communications |
| JP2008530879A (en) * | 2005-02-11 | 2008-08-07 | ノキア コーポレイション | Method and apparatus for providing a bootstrapping procedure in a communication network |
| GB0504865D0 (en) * | 2005-03-09 | 2005-04-13 | Nokia Corp | User authentication in a communications system |
-
2005
- 2005-06-21 CN CNB2005100774766A patent/CN100379315C/en not_active Expired - Fee Related
-
2006
- 2006-06-21 CN CNA2006800123062A patent/CN101160920A/en active Pending
- 2006-06-21 EP EP06742203A patent/EP1816825A4/en not_active Withdrawn
- 2006-06-21 WO PCT/CN2006/001416 patent/WO2006136106A1/en not_active Application Discontinuation
-
2007
- 2007-04-16 US US11/735,541 patent/US20070249342A1/en not_active Abandoned
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040122934A1 (en) * | 2001-04-03 | 2004-06-24 | Ilkka Westman | Registering a user in a communication network |
| US20030159067A1 (en) * | 2002-02-21 | 2003-08-21 | Nokia Corporation | Method and apparatus for granting access by a portable phone to multimedia services |
| US20040230697A1 (en) * | 2003-05-13 | 2004-11-18 | Nokia Corporation | Registrations in a communication system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2006136106A1 (en) | 2006-12-28 |
| CN101160920A (en) | 2008-04-09 |
| CN1802016A (en) | 2006-07-12 |
| EP1816825A1 (en) | 2007-08-08 |
| US20070249342A1 (en) | 2007-10-25 |
| EP1816825A4 (en) | 2008-03-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100379315C (en) | Method for carrying out authentication on user terminal | |
| CN100382503C (en) | Registration abnormity handling method in user registration course | |
| JP5302330B2 (en) | Method and apparatus for use in a communication network | |
| RU2379856C2 (en) | Method and element for managing service | |
| US9560082B2 (en) | Method and network device establishing a binding between a plurality of separate sessions in a network | |
| CN100542321C (en) | A plurality of registrations of user in the mobile communication system | |
| CN100596076C (en) | User equipment registration, activation system, method and device in personal management | |
| CN101094061B (en) | Access method for authorizing and authenticating digital gateway system, devices, and network terminal devices | |
| CN100391167C (en) | Service call session control function entity backup method and system thereof | |
| CN1642083A (en) | Network side anthority-discrimination-mode selecting method | |
| US20070055874A1 (en) | Bundled subscriber authentication in next generation communication networks | |
| US20070171851A1 (en) | Method for the control and evaluation of a message traffic of a communication unit by means of a first network unit within a mobile radio system, pertaining communication unit and first network unit | |
| US8265622B2 (en) | Method and saving entity for setting service | |
| CN100493227C (en) | Method for treating user of updating IP address at network side | |
| EP2790426B1 (en) | Method and system for enabling an Aggregation/Authentication Proxy to route XCAP messages to IMS Application Server | |
| EP1880556B1 (en) | Method and element for service control | |
| US9692835B2 (en) | Method and apparatuses for the provision of network services offered through a set of servers in an IMS network | |
| CN100387014C (en) | Method for treating abnormity of registration in procedure of registering users | |
| CN100433913C (en) | Method for realizing registering in IP multi-media subsystem | |
| CN100388662C (en) | Method for preventing user with 3G ability from using transition right-identification mode | |
| CN100536484C (en) | Method for canceling IP address | |
| CN100370870C (en) | A method for obtaining information in different public land mobile networks and system therefor | |
| CN1997024A (en) | A method for load alleviation of the server interface of the homing subscribed user | |
| CN105049230A (en) | Vehicle disaster recovery method for distributed multimedia sub-system based on domain name system and vehicle disaster recovery system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080402 Termination date: 20210621 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |